TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_KLEZ.G
Overview
Solution
Technical Details

Memory resident:  No

Size of malware: 94,932 Bytes

Initial samples received on: Apr 17, 2002

Variant ofWORM_KLEZ.H

Related toPE_ELKERN.B

Payload 1: Modifies Files (disables antivirus programs)

Payload 2: Drops files

Trigger condition 1: Upon execution

Details:
Upon execution, this worm decodes its data in memory. It then copies itself to a WINK*.EXE file in the Windows System directory. The copy has a hidden attribute and the * is a random number of random characters.

It then creates the following registry entry so that it executes upon system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run Wink* = "%System%\Wink*.exe"

where * is any random number of random characters.

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

This worm also installs itself as service by adding the following registry entries:

HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\Wink*
Type = "dword:00000110"
Start = "dword:00000002"
ErrorControl = "dword:00000000"
ImagePath = "%System%\Wink*.exe"
DisplayName = "Wink*"
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\Wink*\Security
Security = "hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,
00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,
00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,
fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,
ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,
00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,
02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,
00,05,12,00,00,00"

HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\Wink*
Enum0 = "Root\LEGACY_WINK*\0000"
Count = "dword:00000001"
NextInstance = "dword:00000001"

Like WORM_KLEZ.A, this worm has several threads that accomplish its propagation and payload mechanisms. Its main features are a mass-mailing routine, dropping of the PE_ELKERN.B file infector virus, network infection, and an antivirus retaliation procedure.

Propagation and Exploits

It also takes advantage of the following Windows vulnerability to propagate:

    Incorrect MIME Header Can Cause IE to Execute E-mail Attachment

For more information about this vulnerability, please refer to the following Microsoft Web page:

This worm sends email messages with itself as the file attachment to propagate rapidly. The subjects of its email messages are randomly taken from the following:

  • %s removal tools
  • a %s %s game
  • a %s %s patch
  • a %s %s tool
  • a %s %s website
  • congratulations
  • Darling
  • Eager to see you
  • honey
  • How are you
  • Introduction on ADSL
  • Japanese girl VS playboy
  • Japanese lass' sexy pictures
  • let's be friends
  • Look,my beautiful girl friend
  • meeting notice
  • Please try again
  • questionnaire
  • Returned mail
  • So cool a flash,enjoy it
  • some questions
  • Sos!
  • Spice girls' vocal concert
  • The Garden of Eden
  • Undelivarable mail
  • Welcome to my hometown
  • Your password
Where %s can be any of the following words:
  • excite
  • F-Secure
  • funny
  • good
  • humour
  • IE 6.0
  • Kaspersky
  • Mcafee
  • new
  • nice
  • powful
  • Sophos
  • Symantec
  • Trendmicro
  • W32.Elkern
  • W32.Klez.E
  • WinXP

The worm mass mails itself to recipients found in the default Windows Address Book (WAB). The path and file name of these are identified in the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name = "{path and file name of the WAB file}"

Like other KLEZ variants, this worm may change or spoof the original email address in the FROM: field. It obtains the email addresses (that it places in the FROM: field) from the files it found in the host computer.

The actual email address of the sender is found in the Envelope From field. The email address is taken from the email address of the infected user's SMTP account and this can be found at the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts

Since the Envelope From field cannot be found in the email body, the only way to get this information is by monitoring TCP packets.

It then constructs the HTML mail, which contains the base64 encoded worm copy. It randomly generates the file name of the attachment.

It obtains its SMTP server from the registry as follows:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Account Manager\Accounts\, SMTP Server

It then sends commands to the SMTP server to create and send an email. The subject and message body of the email may be randomly composed.

It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients to execute the file attachment automatically. This vulnerability is known as Automatic Execution of Embedded MIME type. The infected email contains the executable attachment registered as content-type of audio/x-wav or sometimes audio/x-midi, so that when recipients view the infected email, the default application associated with audio files is opened. This is usually the Windows Media Player. The embedded .EXE file cannot be viewed in Microsoft Outlook. More information about this vulnerability is available at Microsoft's Security Bulletin.

Dropping of PE_ELKERN.B

The worm drops a randomly named file in the Program Files directory (usually C:\Program Files). Approximately 12KB in size, this program can infect files in network shared folders and disable system file protection. It can also infect EXPLORER.EXE in memory. This program is detected as PE_ELKERN.B. Oftentimes, it deletes itself after running.

Network Infection

This worm is capable of spreading via shared drives/folders with read/write access. To accomplish this, it enumerates all shared resources in the network. For shared folders with read/write access, it copies itself to files with randomly generated file names. The dropped files have the following extensions:

  • .BAT
  • .COM
  • .EXE
  • .PIF
  • .RAR
  • .SCR
Occasionally, this worm copies itself to a random file name with double extensions. The first extension name can be any of the following:
  • .BAK
  • .BAT
  • .C
  • .CPP
  • .DOC
  • .EXE
  • .HTM
  • .HTML
  • .MP3
  • .MP8
  • .MPEG
  • .MPQ
  • .PAS
  • .PIF
  • .SCR
  • .TXT
  • .WAB
  • .XLS
The second extension can be any of the extension names first listed.

Antivirus Retaliation Procedure

The worm disables the running processes of, and occasionally deletes the executable files of programs associated with the following names of antivirus products:

  • *SCAN* (any character can be in place of *)
  • *VIRUS* (* is any character)
  • _AVP32
  • _AVPCC
  • _AVPM
  • ACKWIN32
  • ALERTSVC
  • AMON
  • ANTIVIR
  • Antivir
  • AVCONSOL
  • AVE32
  • AVGCTRL
  • AVP32
  • AVPCC
  • AVPM
  • AVPTC
  • AVPUPD
  • AVWIN95
  • CLAW95
  • DVP95
  • F-AGNT95
  • F-PROT95
  • FP-WIN
  • F-STOPW
  • IOMON98
  • LOCKDOWN2000
  • Mcafee
  • N32SCANW
  • NAV
  • NAVAPSVC
  • NAVAPW32
  • NAVLU32
  • NAVRUNR
  • NAVW32
  • NAVWNT
  • NOD32
  • Norton
  • NPSSVC
  • NRESQ32
  • NSCHED32
  • NSCHEDNT
  • NSPLUGIN
  • NVC95
  • PCCWIN98
  • SCAN32
  • SWEEP95
  • TASKMGR
  • VET95
  • VETTRAY
  • VSHWIN32

The worm also scans for the above strings as values in the following registry key, and deletes them if found:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run

Finally, the worm searches for and then deletes the following files:

  • AGUARD.DAT
  • ANTI-VIR.DAT
  • AVGQT.DAT
  • CHKLIST.CPS
  • CHKLIST.DAT
  • CHKLIST.MS
  • CHKLIST.TAV
  • IVB.NTZ
  • SMARTCHK.CPS
  • SMARTCHK.MS

This worm does not perform its antivirus retaliation routine on machines running NT 4.0 or lower, due to an unavailability of system functions or APIs it uses to kill the antivirus-related processes.

Stealth Routine

On Windows 98/95 systems, the worm registers itself as a service process to hide itself from the taskbar. On Windows 2000 systems, the worm creates a system service and registers it as a service control dispatcher. In this way the service control manager always calls the worm service upon Windows startup.

Notes On Window NT 4.0 and Earlier Versions

This worm does not perform its antivirus retaliation routine on machines running NT 4.0 or lower, due to an unavailability of system functions or APIs it uses to kill the antivirus-related processes. Although it does not execute on WinNT 4.0 and earlier versions, infection of machines with this operating system is possible if the machine has shared folders. The dropped virus, PE_ELKERN.B, infects files in shared drives. When this happens, a full infection of the system may ensue since PE_ELKERN.B executes on any Windows platform.

Analysis By: Darwin Te

Updated By: Mark Anthony Balanza

Revision History:

 

Jul 10, 2005 - Modified Virus Report

For additional information about this threat, see:
Overview
Solution

Search a new malware

Tell us how we did. Take our quick survey.